The Problem

We’re in the second half of the year, which means a long array of tradeshows is now behind us. On the heels of the most recent events I’ve attended, Gartner Security and Risk Management Summit, and IANS Dallas – both excellent shows attended by an impressive array of information security brass – I realized that there is still one fundamental issue; an InfoSec elephant in the room which often clouds the judgment of many very intelligent people. It came up during several conversations throughout the year, but not until discussing it on Twitter was I forced to distill The Problem into its simplest form:

@thegrugq@CipherLaw what I’m seeing with corp infosec and IT in general is the same epidemic: the notion that policy somehow trumps reality

To measure the business value of an information security architecture, we should equally weigh its technical capabilities with its impact on user productivity.

That is to say, you can tell an employee “this is your box, you must work inside of it” but if they can’t do everything they want to do inside of that box, or if that box is not ergonomic or responsive enough to the user’s needs, you can count on them exiting the box outside of your purview, at which point regardless of how secure the box is, it will have lost its business value.

By the way, I wrote “want” instead of “need” when I referred to user behavior here on purpose, if we are to accept The Problem as fact, then policy must be bounded by reality, rather than the other way around. That’s why we, at Bromium, have built an architecture that assumes users need to do what they want to do, because we believe feeling productive is being productive, and security should be an inherent and painless component of a productive environment.